Cato Networks

Cato Networks provides an enterprise cloud service offering several integrated networking and security tools. These can be used to connect “all branch offices, mobile users, physical and cloud data centers to provide secure WAN and internet connectivity everywhere.”

To set up Cato Networks:

Read the requirements and complete any prerequisite steps.
Create an API key and obtain your Account ID from Cato Networks.
Set up the Cato Networks event source in SIEM (InsightIDR).
Verify the configuration works.

You can also:

Review sample logs.
Troubleshoot common issues.

Requirements

Before you start the configuration:

Ensure you have access to a Cato Networks account with Editors access.
Determine the region identifier for the relevant Cato API based on the following table. You will need to provide this region when configuring the event source in SIEM (InsightIDR). Read Cato’s documentation for more information on API Endpoint and Schema .

Region	Cato API URL
EU	`https://api.catonetworks.com/api/v1/graphql2`
US	`https://api.us1.catonetworks.com/api/v1/graphql2`
India	`https://api.in1.catonetworks.com/api/v1/graphql2`

Create an API key and Obtain your Account ID from Cato Networks

Log in to your Cato Networks Editors Account.
Record the Account ID that appears in the Cato Networks URL to a temporary text file. If you have multiple account IDs you wish to monitor, repeat this step for each. For example, if your Account ID is “1234” then the URL should look like: https://rapid7.catonetworks.com/#!/1234/topology
Open the Navigation Menu and click Administration > API Management.
Enter the Name of the key and click Apply. If the API key has been successfully added a window will appear displaying the new API key.
Click the Copy Icon to copy your API key and ensure you Save it to a secure location. Once you close the window you can no longer access the value of the API key.
Click Ok to close the API window.
On the API Management page click the Event Feed Enabled toggle to enable your account to send events to the Cato API servers.

Configure SIEM (InsightIDR) to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in SIEM (InsightIDR).

To configure the new event source in SIEM (InsightIDR):

From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
Do one of the following:
- Search for Cato Networks in the event sources search bar.
- In the Product Type filter, select Firewall.
Select the Cato Networks event source tile.
Name your event source. If you do not, SIEM (InsightIDR) will apply the default event source name “Cato Networks”.
Choose your collector and Cato Networks from the event source drop-down.
Enter the Account ID that you obtained from your Cato Networks Profile URL. If you wish to enter multiple Account IDs you must separate them using a comma.
Select your credentials, or create a new credential . If you’re creating a new credential, enter the API key you created in Cato Networks.
In the Region dropdown, select the relevant region identifier you determined in the requirements.
Choose the timezone that matches the location of your event source logs.
Optionally choose to send unparsed logs.
Select an attribution source.
Click Save.

Verify the configuration

Complete the following steps to view your logs and ensure events are making it to the Collector.

On the new event source that was just created, click View raw log. If you see log messages in the box, then this shows that logs are flowing to the Collector.
Go to Alerts > Log Search.
Select the applicable Log Sets and the Log Names within them. The Log Name will be the event source name or “Cato Networks” if you did not name the event source. Cato Networks logs flow into the Cato Networks log set.

Sample Logs

Example of internet firewall logs:


{
 "time": "2021-12-01T15:07:11Z",
 "fieldsMap": {
   "ISP_name": "Firewall (Internet) ISP",
   "account_id": "5678",
   "action": "Monitor",
   "application": "DNS",
   "dest_ip": "10.0.0.2",
   "dest_is_site_or_vpn": "Site",
   "dest_port": "53",
   "dest_site": "CSI LV-SWI",
   "event_count": "1",
   "event_sub_type": "Internet Firewall",
   "event_type": "Security",
   "internalId": "FH67fuFj6H",
   "ip_protocol": "UDP",
   "os_type": "OS_WINDOWS",
   "os_version": "10",
   "pop_name": "PopName",
   "rule": "Migrated by Cato Allow All WAN",
   "rule_id": "1234",
   "rule_name": "Migrated by Cato Allow All WAN",
   "src_country": "United States of America",
   "src_ip": "10.0.0.1",
   "src_is_site_or_vpn": "VPN User",
   "src_isp_ip": "10.0.0.3",
   "src_site": "John Adams",
   "time": "1638371231662",
   "vpn_user_email": "john.adams@catonetworkscustomer.com"
 }
}

Example of WAN firewall logs:


{
 "time": "2021-12-01T15:06:59Z",
 "fieldsMap": {
   "ISP_name": "Firewall (WAN) ISP",
   "account_id": "5678",
   "action": "Monitor",
   "application": "HTTP(S)",
   "dest_ip": "10.0.0.5",
   "dest_is_site_or_vpn": "Site",
   "dest_port": "80",
   "dest_site": "CSI LV-SWI",
   "event_count": "1",
   "event_sub_type": "WAN Firewall",
   "event_type": "Security",
   "internalId": "f85jFRj683",
   "ip_protocol": "TCP",
   "os_type": "OS_WINDOWS",
   "os_version": "10",
   "pop_name": "PopName",
   "rule": "Migrated by Cato Allow All WAN",
   "rule_id": "1234",
   "rule_name": "Migrated by Cato Allow All WAN",
   "src_country": "United States of America",
   "src_ip": "10.0.0.4",
   "src_is_site_or_vpn": "VPN User",
   "src_isp_ip": "10.0.0.6",
   "src_site": "Kerry Smith",
   "time": "1638371219092",
   "vpn_user_email": "kerry.smith@catonetworkscustomer.com"
 }
}

Troubleshoot common issues

Due to limitations in the Cato EventsFeed API, the Cato Networks event source can process a maximum of 3 million events every 30 minutes. If your environment generates more events than this limit, SIEM (InsightIDR) cannot ingest them fast enough, which may result in a growing backlog and delayed visibility into events.

This behavior is expected and is not caused by the collector, JSON processing, or network performance. Instead, it is constrained by API throughput limits.

Identify this issue

You may be experiencing API throughput limits if:

Events appear in SIEM (InsightIDR) with a noticeable delay.
The backlog of unprocessed events continues to grow over time.
Event ingestion does not keep pace with the volume generated in your environment.

Reduce event backlog

To improve ingestion performance and reduce backlog, consider these actions.

Actions in Cato Networks

Work with Cato Support to review and optimize API usage:
- Confirm enforced per-tenant throughput limits, including requests per minute, payload size, and concurrency limits.
- Request increased limits or a high-volume export configuration, if available.
Enable higher-throughput export options, such as:
- Bulk export endpoints
- Asynchronous job exports
- Streaming or firehose delivery methods
Reduce query complexity by:
- Minimizing selected fields
- Avoiding expensive joins or enrichments
- Removing redundant data
Use regional API endpoints that are closest to your deployment to reduce round-trip time (RTT).

Actions in SIEM

Optimize your environment and event volume:
- Deploy the collector closer to the Cato API region or your network egress point to reduce latency.
- Ensure sufficient outbound bandwidth and minimal packet loss.
- Bypass outbound proxies or TLS inspection for the Cato API host to reduce latency and jitter.
Reduce event volume at the source by:
- Disabling low-value or noisy event categories
- Lowering verbosity where possible
- Filtering duplicate or unnecessary events
Verify DNS resolution and firewall rules to prevent connection resets and retries.

If ingestion delays persist after applying these recommendations, contact Rapid7 Support for further investigation.